For the border crossing situation mentioned above I have a rather unusual possibility for you.
First get yourself an Opal 2.0 compliant SSD (any Samsung SSD should do) and activate the device to turn on encryption with a non-default key. Format the device and create a partition table as normal. Unlock the “shadow MBR” with your key and format the device again and create your partitions for your VMs to live on and install.
What does this do? When the device is still locked anybody looking at it will just see a normal partition table but an empty drive. Once the shadow MBR is unlocked the actual partitions will appear and will be usable just like a normal SED device. Once the SED is powered down its back to the default MBR and it being an empty drive to anyone who might inspect it. Putting the drive into any computer without unlocking it first its just a blank SSD drive. Everything on that drive is encrypted so even if they do a binary copy of the device thinking that they can recover data off of a blank/erased device all they will have is garbage. You just need to store a binary key somewhere so you can unlock the shadow MBR to use it.